Configuring ICAP Settings

Note:

When ICAP integration is enabled, Deep Discovery Analyzer automatically reduces Virtual Analyzer throughput to conserve system resources.

  1. Go to Administration > Integrated Products/Services > ICAP.
  2. Select Enable ICAP.
  3. Type the ICAP port number.

    The default value is 1344.

  4. To connect the ICAP client over a secure connection, select Enable ICAP over SSL and specify the following details:
    • ICAPS port number: Default value is 11344

    • Certificate: Certificates must use base64-encoding

    • Private key: Private keys must use base64-encoding

      Important:

      Only encrypted private keys are supported.

    • Passphrase

    • Confirm Passphrase

  5. (Optional) In the Header Settings section, specify how Deep Discovery Analyzer handles ICAP headers.
    1. Under ICAP headers from Deep Discovery Analyzer, select the ICAP headers Deep Discovery Analyzer sends to ICAP clients.

      For details, see ICAP Header Responses.

    2. Under ICAP headers from ICAP clients, select the ICAP headers to save when Deep Discovery Analyzer receives the headers from ICAP clients.
  6. (Optional) Under Scan Settings, select one or more of the following options:
    • Bypass URL scanning in RESPMOD mode

    • Scan samples using YARA rules

    • Scan samples using the selected suspicious objects list

      Note:
      • Suspicious objects in the generated suspicious objects list are added by the internal Virtual Analyzer in Deep Discovery Analyzer while suspicious objects in the synchronized suspicious objects list are obtained from Deep Discovery Director.

      • If you select Synchronized suspicious objects list, you must also enable suspicious object synchronization from Deep Discovery Director.

        For more information, see Registering to Deep Discovery Director.

    • Scan samples using the user-defined suspicious objects list

    • Scan samples using the Predictive Machine Learning engine

    • Classify password-protected samples

  7. (Optional) Under Content Settings, do the following:
    1. Select Enable MIME content-type exclusion to exclude files from scanning based on the MIME content-types that you selected or specified.
    2. To have Deep Discovery Analyzer check the true file type of submitted samples, select Enable MIME content-type validation.
      Note:
      • The Enable MIME content-type validation setting only applies when you select Enable MIME content-type exclusion.

      • When you select this option, Deep Discovery Analyzer will still perform an ICAP pre-scan on samples with one of the following:

        • HTTP compression

        • Some MIME content-types in ICAP Preview mode

        • Custom MIME content-types

        • Some pre-defined MIME content-types

        Samples with unsupported file types are not submitted to Virtual Analyzer for scanning after ICAP pre-scan.

  8. (Optional) Under User Notification Pages, select Use a user notification page whenever the ICAP client blocks network traffic for the following events and specify a file that contains the page contents.
    Note:

    This setting allows Deep Discovery Analyzer to display a custom page whenever an ICAP client blocks network traffic for specific events. The ICAP client may override this setting. If the setting is enabled and the custom page are not displayed, verify that there are no conflicts with the ICAP client configuration.

    Deep Discovery Analyzer supports custom pages for the following events:

    • URL access

    • File upload

    • File download

    Note:

    Use any text editor to create the pages, and save as plain text. HTML tags may be used to apply formatting. Ensure that files are smaller than 5 MB.

  9. (Optional) Under ICAP Client List, do the following:
    1. Specify the number of Max connections allowed.

      The default value is 1000.

    2. Select Accept scan request from the following ICAP clients only to limit submissions to specific clients only.
      • To add a new IP address or IP address range, click Add.

      • To remove an existing entry, select an entry and click Delete.

      Note:

      By default, all ICAP clients can submit samples to Deep Discovery Analyzer.

  10. Click Save.
  11. Verify that ICAP integration is working correctly in Deep Discovery Analyzer.

    For high-risk samples:

    • Deep Discovery Analyzer returns an "HTTP 403 Forbidden" message to the ICAP client.

    • If the User Notification Page setting is enabled, Deep Discovery Analyzer includes the uploaded page as part of the message.

    • If X-Virus-ID and X-Infection-Found ICAP headers are enabled, Deep Discovery Analyzer includes these headers within the message.

    For no-risk samples:

    • Deep Discovery Analyzer returns the original message it receives from the ICAP client.

    • If the ICAP client supports ICAP "204 No Content", it returns an ICAP "204 No Content" response without the original message.